0

I'm trying to build a mobile app that has a login functionality with an ASP.NET web api, and I need to implement the token based authentication,

what I need is, as a first time the user login using username and password, a new token will be generated with expire date along with a refresh token, I'm thinking of the refresh token because the user doesn't have to login every time the token expires,

the token is saved in the mobile device and in the database, so with each request, sends the token whether in the request header or with the posted data,

I don't exactly know how the token based authentication works in terms of sending the token encrypted or hashed to the user and processing the request in the server

Edit: an attacker in the middle can just read the token and start sending requests to the server using the token. I mean he doesn't need to know what the token actually means.

I created a class that has these properties (UserID,Token, RefreshToken, ExpiryDate), but I read that it is not a good approach,

I'm using AES for encryption and SHA256 for hash

Thank you for you help,

4

2 回答 2

0

请参阅以下文章以了解基于令牌的身份验证如何在 ASP.NET Web API 中工作。

  1. http://www.codeproject.com/Tips/821772/Claims-And-Token-Based-Authentication-ASP-NET-Web
  2. http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
于 2015-04-26T14:40:46.920 回答
0

搜索 OpenID 和 OpenID Connect 规范,它们会准确地告诉您令牌在您的情况下应该如何工作(非机密隐式客户端流程)。如果您不想使用外部 openid 服务器,您可以轻松地将 OpenID 端点添加到您的 asp.net Web api。

于 2016-03-23T22:31:30.330 回答